Skip to main content
All CollectionsBest Practices
PCI DSS Self-Assessment for Paysafe
PCI DSS Self-Assessment for Paysafe

How to comply with the Payment Card Industry Data Security Standard (PCI DSS).

Samantha Postlethwaite avatar
Written by Samantha Postlethwaite
Updated over a month ago

Merchants must show an Attestation of compliance with the payment industry security standard (PCI DSS). For organizations with Paysafe, this means accessing the PCI portal and completing the PCI DSS Self-Assessment Questionnaire (SAQ) every 12 months.

We'll explain how to log in to the PCI portal and how to answer the

questionnaires so you receive the Attestation of compliance (AOC).

❗ Please read this article (and FAQs section) very carefully ❗

Step 1 - Log in to the PCI DSS compliance portal

If your merchant account was opened in 2024, you may not yet be boarded into the PCI portal. If no one in your organization has received an invitation, please be patient. You should be hearing from them shortly. Amilia is working with Paysafe to ensure all organizations become PCI compliant. Thank you!

After your merchant account has been set up, the contact your organization provided will receive a username and password (from notifications@pcidssportalna.com) to log in to the PCI portal at https://pcidssportalna.com/.

See our FAQ if you haven't received any emails or want to change your contact.


Step 2 - Answer the questionnaires

The business profile and security assessment (SAQ) are exclusive to card payments in your Paysafe merchant account. Your SAQ type is relative to how you accept card payments.

Pick one answer guide based on whether your organization accepts card payments in the Amilia SmartRec store only (SAQ A), with a PAX A920 integrated terminal only (SAQ P2PE), or with both (SAQ D).

❗ To be PCI compliant, your wireless router (if any)

must be encrypted and password protected.

🛒 If you take payment cards in the SmartRec store only

🛒 💳 If you take payment cards in the SmartRec store &

with a PAX A920 integrated terminal

💳 If you take payment cards with a

PAX A920 integrated terminal only

Step 3 - Maintain compliance

When the questionnaires are successfully completed, you can download the Attestation of compliance (AOC), which is valid for 12 months.

Email notifications are sent to the main contact when it's time to renew the AOC or complete an outstanding task in the PCI portal.


FAQs

What is PCI DSS and how do I become PCI compliant?

PCI DSS stands for Payment Card Industry Data Security Standard. It is a set of technical and operational requirements to protect cardholder and sensitive authentication data. It's set by the Payment Card Industry Security Standards Council (PCI SSC), an independent body founded by the major credit card brands – American Express, Discover, JCB International, Mastercard, UnionPay and Visa Inc.

Merchants must provide proof of compliance for each payment provider they use. Paysafe's PCI DSS covers card payments processed in a Paysafe merchant account. This includes all credit cards brands - Visa, MasterCard, American Express, Discover Network, JCB. It includes debit & credit cards, gift cards, and prepaid cards. Organizations that use Paysafe to process debit and credit card payments must log in to the Paysafe PCI portal to provide proof of compliance, in the form of:

  • An Attestation of Compliance

  • Self-Assessment Questionnaires with signature

  • Scan results (if applicable)

Click here and scroll down for resources and FAQs from the PCI SSC's website.

Who can I contact for help?

⌨️ For help with Paysafe's PCI portal, your Paysafe merchant account or your SmartRec store, start a chat with the Amilia SmartRec support team!

Paysafe has partnered with VikingCloud (the leading 'predict-to-prevent' cybersecurity and compliance company) to provide the Paysafe PCI portal to support merchants with their Paysafe PCI DSS compliance. We'll work together to help you with this process.

Who is invited to join the PCI portal? What if I didn't get an invitation?

The invitation for the PCI portal is sent to the main contact email that was provided at the time the merchant account was opened. If you're unsure which contact email was provided or if the contact email needs to be updated/changed, let us know.

If the contact email is correct but you want someone else to do the assessment, you must add them as a user to the portal. Adding a user to the portal doesn't make them the main contact. Contact us if you wish to change the main contact.

If you didn't receive an invitation to join the PCI portal, please start a chat with the Amilia SmartRec support team and type 'agent' to speak with a person.

How do I change the main contact?

Please start a chat with our support team and we'll be happy to help. However, the invitation email IS NOT SENT to the new main contact. After the main contact has been changed, they must visit the PCI portal login page and click 'Forgot password'. An email will then be sent so they may configure their login credential.

How do I add another user to the PCI portal?

You can add additional users to log into the PCI portal as well as receive a copy of the communications. To add another user to the portal, click on the silhouette icon in the upper right corner, then 'Users', and then 'Create new user'.

Are reminders sent to complete the assessment?

The contact is sent a reminder every week to log into the PCI portal to complete the assessment, until both the questionnaires (business profile and security assessment) have been answered.

Are Federations responsible for its clubs' PCI DSS compliance? Or is each club responsible for completing its own PCI DSS assessment?

A PCI DSS assessment must be completed for each merchant account. If a Federation uses one merchant account for all its clubs, then the Federation is responsible for completing the PCI DSS business profile and security assessment.

If each club has its own merchant account, in that case the club is responsible for logging into the PCI portal and completing the PCI DSS business profile and security assessment.

Are there fees or penalties involved with PCI compliance?

The payment card industry (PCI) sets compliance requirements and dictates penalties for non-compliance, which are in turn administered by the payment processor (i.e., Paysafe). There are monthly fees to use the PCI portal, but Amilia SmartRec absorbs these fees for each merchant.

However, there are non-compliance fees if Paysafe's PCI requirements aren't completed in a timely manner. These taxable fees will appear on the monthly Amilia invoice as its own line item (PCI non-compliance fee) under the Network assessment fees.

  • New merchants have 45 days from the time their merchant account is opened to log in to the PCI portal to complete the assessment. After this time, these fees will be charged to the merchant on a monthly basis, appearing on the upcoming Amilia invoice. If the 45 day period is up on the 5th of May and the questionnaire is completed on the 6th of May, the PCI non-compliance fee will be charged at the end of the month and will appear on the June Amilia invoice.

  • Once they become compliant, fees will stop being charged for a duration of 12 months from the time the PCI DSS assessment has been completed.

If your organization is in the United States, monthly penalties of $34.95 (USD) will be applied if you don't complete the assessment.

If your organization is in Canada, monthly penalties of $45.95 (CAN) will be applied if you don't complete the assessment.

What is an SAQ type?

SAQ is an acronym for 'Self-Assessment Questionnaire'. The SAQ type refers to the type of security assessment that merchants completed based on how they handle card payments processed in their Paysafe merchant account.

Merchants using Amilia SmartRec fall into one of three SAQ types:

  • SAQ type A: Only handles card payments via the Amilia SmartRec ecommerce store

  • SAQ type P2PE: Only handles card payments with a PAX A920 integrated terminal

  • SAQ type D (A + P2PE): Handles card payments via the Amilia SmartRec ecommerce store and with a PAX A920 integrated terminal.

For more details on each SAQ type, please see the glossary in the PCI portal.

I obtained the AOC before PCI 4.0 came into effect. Is it still valid?

PCI 4.0 came into effect in April 2024. Merchants who already completed their compliance prior to this date are good to go until their renewal date in 2025. Merchants who haven't started their questionnaires will be presented with the 4.0 version of the questionnaires.

Merchants who started their business profile and/or security assessment but stopped halfway may click on their Business profile and reset the questionnaire to load the improved (and simpler) 4.0 version of the questionnaire.

What if my organization moves to another acquiring bank within Paysafe?

If existing merchants in the US, boarded with Merrick Bank or Vantiv (prior to 2021), want to move to BBVA bank to unlock the ability to use Pax terminals and AMEX, there will be a process by which Paysafe can move the compliance documentation over to their new BBVA MID. Please start a chat with our support team if this is the case.

What if I already have an Attestation of Compliance (AOC)?

If your organization obtained an Attestation of Compliance (AOC) for its Paysafe merchant account(s) outside of the PCI portal, then you can upload it to the PCI portal.

Remember, an AOC is only good for a period of one year. You must return to the PCI portal to renew it each year.

To upload your AOC, click 'Manage' on the business profile and on the 'Choose an assessment method' page, you will have the option to upload the document.

Can I accept card payments by mail or telephone order?

Transmitting sensitive cardholder information by mail or telephone order is a security risk to your organization and your customers. Don't select this option.

When responding to how you accept card payments, select whether you accept card payments face to face (with an integrated A920 PAX terminal), in the Amilia SmartRec e-Commerce store, or both.

Who is the Merchant Executive Office?

When completing the security assessment, you must specify the title and name of the individual serving as your Merchant Executive Officer. This could be the person who signed your merchant application, or who holds executive authority within the organization. For smaller organizations, this could be the owner. For larger organizations, this could be a director, executive or someone with authority on your finance team.

* Last updated in April 2024

Did this answer your question?